14 DAY TRIAL // Facebook has launched a security bug bounty program through which it will pay security researchers for discovering and privately reporting vulnerabilities in its platform.
Back in May we were the first to report that Facebook intends to create a security rewards program for whitehat hackers, a plan the company's chief security officer Joe Sullivan, revealed at the Hack in the Box Amsterdam security conference.
It seems that Facebook finally got around to solve the legal challenges that such an effort involves and publicly announced the program's availability today.
The company offers $500 rewards for reports that qualify. Adhering to the company's one-paragraph responsible disclosure policy is mandatory. That policy reads:
"If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."
In addition, only researchers who report a vulnerability for the first time qualify for the reward. If two researchers happen to find the same bug independently, the first one who reports it gets the money.
The types of vulnerability that qualify for rewards are: cross-site scripting (XSS), cross-site request forgery (CSRF/XSRF) and remote code injection. Also, the exploit must compromise the integrity and privacy of Facebook user data.
While a typical payout is $500, the rewards can be increased in special cases, although the company specify any criteria for this. It's also worth noting that only residents of countries that are not under United States sanctions qualify. Researchers from North Korea, Libya, Cuba and other similar countries won't be eligible to receive rewards.
Vulnerabilities in third-party Facebook applications and websites that integrate with the platform will not be rewarded, and neither will those in Facebook's corporate infrastructure, those who lead to denial of service conditions or spam and social engineering techniques.
Facebook's decision to launch a security bug bounty program for its web platform follows similar decisions by Google and Mozilla to extend their security reward efforts to their web properties.